Category Archives: security

Wired’s Bruce Shchneier recently posted this interesting article ‘When it comes to security, we’re back to feudalism.’ It makes some interesting points, but I think it misses the overall trend. Society, the Internet and Internet Security aren’t moving back to feudalism, we’re moving forward to something more distributed.

Historical feudalism is highly hierarchal. You have the monarch, nobles and knights on top, and the merchants, farmers and peasants on the bottom of the pyramid. I see the future of security as more of an extremely networked and distributed form of organization, like a mesh network. Each of the nodes on the network would be a zone of governance, so to speak. Moving from node to node, you step into different zones with differing rules and structures, many of which overlap. So you might live in a gated community with a private security force, yet it’s still subject to state and local laws. You’d drive on a private highway to your corporate campus, which might have its own security and electric system, but it still draws water from the municipal wells. You use Google for its great web services, but you prefer Apple for its hardware design, closed ecosystem and security.

For me, the mesh network is a better analogy because all of these pieces tie together and frequently overlap. So its not the position of each relative to each other that matters. In feudalism, where you are on the pyramid makes all the difference. It’s better being the lowliest knight than the highest serf. Knights have much better security protections, and can provide better security to their lord than a peasant can. With zones of governance, or distributed governance, the position of each relative to each other doesn’t matter. What is important is the strength and nature of the connections between them.

So your gated community can have its own security, but it’s still subject to the authority of the State. A strong connection. The local mall may be owned by a Chinese conglomerate, but they can’t suppress free speech on the property: strong connection to US law; weak connection to Chinese law. You might be 100% android and have a strong connection to Google, or you own an iPhone and use Google maps and Gmail, so you have moderate connections to both. These fall under US law, so there is a strong connection there.

But perhaps you download a Chinese chat app which just happens to be monitored by the PLA. So unknowingly you might have a strong (and negative) Chinese security connection you don’t know about. You may have connections to things you aren’t aware of and probably don’t want to be connected to. Surfacing these hidden connections will probably be critical in the future.

And more important than how strong your security connection is to any one node, is how the overlapping webs of security work together, and how resilient your overall system is to failure. So if access to your Gmail would allow a hacker access to all your other accounts in your personal network, then you do indeed have an artificial hierarchy due to the single point of failure. (Kill the noble and the kingdom falls.) We have to acknowledge that we can’t protect everything, so we have to build our security in such a fashion that if a catastrophic failure occurs, the system has enough redundancy and firewalls that the disaster would be contained (more like the lines of succession in case of the President’s death.)

So I think the mesh network/ distributed governance / zones of governance analogy will be a better method for describing the future of human security and society than medieval feudalism, which was strictly hierarchal. And redundancy is key. In the security environment, this means a much more distributed, networked model. So if gated community security fails, you can still call 911, and if your mobile OS allows in malware, your hardware device has protocols to limit the damage.